Thursday’s Committee hearing on reforming the Foreign Intelligence Surveillance Act (FISA) reviewed the two rival bills in an effort to find a balance between security and privacy. The Committee is expected to have further lively debate on the proposed legislation next week, before the bill is sent for consideration by the full Senate.

…

Feinstein’s bill would also seek to expand the US government’s spying capabilities by authorizing the monitoring of terror suspects the NSA is tracking overseas when they arrive in the US.

Currently, when a suspected terrorist arrives in America, the NSA has to halt its surveillance, creating a legal loophole.

“I call it the terrorist lottery loophole,” said Republican Senator Mike Rogers, the chairman of the House Intelligence Committee. “If you can find your way from a foreign country where we have reasonable suspicion that you are … a terrorist … and get to the United States, under a current rule, they need to turn it off and do a complicated handoff to the FBI,” Rogers said.

The new bill would allow the NSA to legally continue eavesdropping on a person for seven days after arriving to the US without asking for authorization from a court.

Democratic Senator Wyden, who has been for years working with classified data as a member of the Senate Intelligence Committee, also derided the NSA’s complaints about the damage to US national security caused by the recent leaks.

“You talk about the damage that has been done by disclosures, but any government official who thought this would never be disclosed was ignoring history. The truth always manages to come out,” he said.

…[NSA Director Keith] Alexander acknowledged that the NSA is interested in compiling the largest national database possible, and that there is no limit to the number of records that can be gathered. The storehouse holds billions of records, former officials have told The Washington Post.

“Is it the goal of the NSA to collect the phone records of all Americans?” Udall asked.

“I believe it is in the nation’s best interests to put all the phone records into a lockbox that we could search when the nation needs to do it, yes,” Alexander said.

The government has claimed the authorityto gather the data under Section 215 of the USA Patriot Act, also known as the “business records” provision of the Foreign Intelligence Surveillance Act. The FISA court in 2006 agreed that the government could use that statute to order phone companies to hand over “all call detail records” daily to the NSA.

Asked by Udall if that statute gave NSA the authority to collect other data — such as utility bills — Deputy Attorney General James M. Cole offered a qualified answer. “It’s given them the authority to collect other bulk records if they can show that it is necessary to find something relevant to a foreign intelligence investigation of particular types. . . . It’s not just all bulk records. But it’s also not no business records. It’s all dependent on the purpose.”

[Sen. Ron Wyden (D-Oregon)], Udall and other lawmakers have introduced reform legislation that would, among other things, end the phone records collection, while allowing for a more limited program.

On Thursday, Wyden accused U.S. officials of not being more forthcoming about intelligence-collection programs.

“The leadership of your agencies built an intelligence-collection system that repeatedly deceived the American people,” he said. “Time and time again, the American people were told one thing about domestic surveillance in public forums while government agencies did something else in private.”

Wyden infamously showed down with Clapper earlier this year when he asked the lawmaker if the intelligence community collects information on millions of Americans. Clapper responded “not wittingly,” then later apologized to Committe Chairwoman Dianne Feinstein (D-California) for his “clearly erroneous” remark after Snowden’s leaks suggested otherwise only weeks later.

“So that he would be prepared to answer, I sent the question to Director Clapper’s office a day in advance. After the hearing was over, my staff and I gave his office a chance to amend his answer,” Wyden told the Washington Post after the March meeting. “Now public hearings are needed to address the recent disclosures, and the American people have the right to expect straight answers from the intelligence leadership to the questions asked by their representatives.”

On Thursday, Alexander phrased questioning directed at Gen. Alexander in an attempt to determine if the NSA collected information from cell phone towers that could be used to locate customers. Alexander decline to provide a straight answer during an unclassified hearing.

“If you’re responding to my question by not answering it because you think thats a classified matter, that is certainly your right,” said Wyden. “ We will continue to explore that because I believe that is something the American people deserve to know.”

After a few decades of being in existence among average, everyday human beings, the internet has become quite ubiquitous and pervasive in our lives. Most of us take it for granted like we do electricity and water. But when we send emails, do we really understand how it is delivered to the final destination, and what computers are involved in taking our emails and routing it to our friends and families? And when we visit a website, do we really understand how those clicks and personal data we entered is packaged and delivered to the ultimate website?

With what we now know about the major weaknesses the National Security Agency (NSA) and other intelligence agencies have injected into our common communication paths (telephone (traditional, mobile and Voice over IP, or VOIP), television, desktop and mobile internet), it’s probably time we at least have a basic idea of how the internet works. I will avoid getting too bogged down in technical detail and keep the conversation as short and simple as possible (though at times I may have to touch on some fairly technical terms if it can’t be avoided).

Let’s go over some common ways you communicate with friends and family first, and then go into details about how the communication happens. We’ll cover text messaging, email, and voice calls.

When you send a text, you probably think only you and your friend’s mobile devices are involved. Yeah, you probably know that AT&T, Verizon, Sprint, T Mobile, or other provider has a network that sends your message to your friend, but there’s a bit more to it. When you turn on your phone, it automatically connects to your provider’s network. This means that every so often, your phone says “Hi, I’m still here” to make sure your texts and voice calls are able to either be sent by you to a friend, or from a friend to you. So let’s say you decide to say “hello” as a text to a friend. When you click Send, your mobile phone packages your message in a way very similar to what the postman or Fedex shipper does with a regular mailing. A physical mail needs a From address and a To address in order to get it to its destination. Similarly, your phone puts the From and To info into the text message. In order to keep your provider’s network from confusing the From and To info with the actual body of your text message, the From and To info, along with date and time, is put into a “Header.” A header is like your envelope that you put your letter in. The letter and envelope are two separate things, and the letter is inserted into the envelope. Similarly, your text message is put into an electronic envelope that contains the header info (the From and To info – your phone number plus the number of your friend). Once the electronic envelope is ready, your phone sends it to your provider’s network.

The first point your electronic envelope goes to is your provider’s closest tower. This is similar to your mail going to the nearest post office to get entered into the system. From there, your regular mail goes to a major area postal hub, where it is then routed to the next logical postal hub closest to your final destination: the intended mail recipient. Similarly, the local phone tower sends your text to the nearest satellite, which then sends your text message to the next logical satellite en route to your friend. The process is reversed once your friend’s nearest phone tower is found: the final satellite in the route sends the text to your friend’s nearest phone tower, which then sends it to your friend’s mobile phone. The phone then unpacks the text and displays it on your friend’s phone.

Keep in mind that though this is a simplified example, notice that there are multiple devices involved: towers, satellites, and your provider’s computer servers for coordinating the sending of messages from one satellite to another and for archiving. I will explain why this is important to remember shortly.

Email

Email works pretty much the same way that text messaging does. Assuming you’re at your laptop typing an email up while logged in to your internet provider’s system, you will ultimately include the email address of a friend or team member from work. You click Send or Submit, and off your email goes. But it’s not quite that simple. Your email software (presumably Outlook or some free online email provider like Yahoo or Gmail) has to package your email just like with text messaging. But there’s far more info that gets added to the electronic envelope (aka “email header”) than just email addresses; Wikipedia has a good listing that I’ll provide a snippet of here (please forgive the technical jargon):

Bcc: Blind Carbon Copy; addresses added to the SMTP delivery list but not (usually) listed in the message data, remaining invisible to other recipients.

Cc: Carbon Copy; Many email clients will mark email in your inbox differently depending on whether you are in the To: or Cc: list.

Content-Type: Information about how the message is to be displayed, usually a MIME type.

Precedence: commonly with values “bulk”, “junk”, or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, e.g. to prevent vacation notices from being sent to all other subscribers of a mailinglist. Sendmail uses this header to affect prioritization of queued email, with “Precedence: special-delivery” messages delivered sooner. With modern high-bandwidth networks delivery priority is less of an issue than it once was. Microsoft Exchange respects a fine-grained automatic response suppression mechanism, the X-Auto-Response-Suppress header.[57]

References: Message-ID of the message that this is a reply to, and the message-id of the message the previous reply was a reply to, etc.

Reply-To: Address that should be used to reply to the message.

Sender: Address of the actual sender acting on behalf of the author listed in the From: field (secretary, list manager, etc.).

Archived-At: A direct link to the archived form of an individual email message.[58]

Note that the To: field is not necessarily related to the addresses to which the message is delivered. The actual delivery list is supplied separately to the transport protocol, SMTP, which may or may not originally have been extracted from the header content. The “To:” field is similar to the addressing at the top of a conventional letter which is delivered according to the address on the outer envelope. In the same way, the “From:” field does not have to be the real sender of the email message. Some mail servers apply email authentication systems to messages being relayed. Data pertaining to server’s activity is also part of the header, as defined below.

SMTP defines the trace information of a message, which is also saved in the header using the following two fields:[59]

Received: when an SMTP server accepts a message it inserts this trace record at the top of the header (last to first).

Return-Path: when the delivery SMTP server makes the final delivery of a message, it inserts this field at the top of the header.

Other header fields that are added on top of the header by the receiving server may be called trace fields, in a broader sense.[60]

Authentication-Results: when a server carries out authentication checks, it can save the results in this field for consumption by downstream agents.[61]

I know that was a lot of information. All you need to really understand is that email messaging has more header info than text messaging, but is quite similar in concept. An email can have messages that contain more than just text. It can contain pictures, songs, video, voice recordings and other data as determined by what’s called a MIME type. I won’t go into details about MIME types, but just know that in order for the email server to know how to handle your email, it must know what kind of content it has inside your electronic envelope. Just like when you send a DVD or CD along with a letter, it is good to let the post office know if your envelope contains fragile content for special handling.

Voice Calls

By now, you probably get the pattern. Voice calls are very similar to text messages and emails. You dial a friend’s number and click Send or Talk. A connection is established from your phone to the nearest phone tower (wireless calls) or landline home office for landline phone calls. The call is routed to the next satellite or server along a path that is the shortest distance to your friend. Once your friend clicks Send or Talk (or whatever graphical icon on your smart phone represents picking up the call), your provider establishes and monitors the quality of the call until one of you hangs up – or the network drops your call for whatever reason. Voice over IP (VOIP) uses your internet connection instead of the plain old telephone network and is very similar to text messaging, except the message content is your voice being sent in a continuous stream of electronic envelopes (called packets. Refer to http://en.wikipedia.org/wiki/VoIP for more info). Digital television transmission works very similarly, but is broadcast by TV stations and content providers in a way that is closer to what Twitter does with each tweet.

Websites

You have a few common ways we discover websites to visit. You do a search through Google, Bing or other service. You need to pay a bill or buy stuff online. A TV program we’re watching mentions a website. You get the idea. So what do You do to display that site on your computer or mobile phone/device? You either click on it or type it in to the part of your internet web browser called the Address box near the top. It starts off with http:// or similar. But what is happening to make that web page display on your browser? It’s not magic, but several hardware and software components at work:

1) Your web browser, which has to package your request for a web page into an electronic envelope similar to text messaging described earlier

3) The website owner’s website, which is software that is inside a computer that either the website owner directly owns, or rents from its internet hosting provider if it is too expensive to own a dedicated computer server

When you click on a link (or enter it in manually in the Address bar at the top of the browser and click a button to send it), your web browser puts your request for the page in an electronic envelope and places a header on it that, among other things, has your computer or mobile device’s IP address (mobile phones have IP address, too, for internet purposes). Your browser sends the request to your internet provider’s computer server, which in turn passes it on to the nearest computer server that can forward it on to another one until it gets to the website computer server you asked for. The website server has the equivalent of a “bodyguard” who’s job is to make sure the request won’t cause trouble in paradise. This bodyguard snoops through your electronic envelope, makes sure there’s nothing bad in it, and passes it along to the web application of the website you requested. Every website has some kind of application software that offers the features that you come to expect in a modern website. So when you go to pay a bill online and click “Checkout” or “Pay Now,” the logic for making that happen is within the website application software that is housed on the website. A website can have one or more web applications, which is why it is important to keep the two separate in your mind. When the web application needs to send a confirmation back to you, it also puts that confirmation inside an electronic envelope and sends it back to you as a response to your request.

What Can Go Wrong?

Now that we’ve gotten that out of the way, have you noticed any potential problem areas with the various ways you communicate? Earlier I asked you to keep some things in mind regarding the multiple devices involved in establishing and maintaining your communications. It’s the fact that it takes several devices (called routing points) between you and your friends, family members and co-workers that is something to consider. Similar to wire-tapping of traditional phones, tapping of text messages, emails, digital voice calls and website visits can occur on any device. Each computer server and each satellite between you and your friend or the website you request has a unique address assigned to it that can be tapped into and compromised without your even knowing it. A server administrator working on any of the computer servers your communications rely on can compromise the system and secretly allow access to it at a price to the highest bidder. There are technology companies that specialize in IP tracing and recording that are already gathering tons of information on your communications and have been for many years. The Eric Snowden NSA leak scandal has become a wakeup call for the entire world, not for just governments, but businesses and individuals as well. The NSA has intentionally created weaknesses (called back doors) in every online security encryption method you use every day. So when you buy stuff online at a site that has an HTTPS in the beginning, that “s” (which stands for “secure”) should now become “I” for “insecure” because it has been very compromised. IP tracing is one of the key areas of compromise that you have to deal with.

What is IP tracing?

Ip-address.org has this to say:

Tracking down an IP address will give you a general idea of what city, state and other geographical information pertains to the original sender. You can also determine what ISP a computer user is networked with through an IP address lookup tool…Tracing an email gives other information, such as how many times an email was sent to various servers and is an important method used for determining the original source of an email. By tracing an email you can determine the original sender’s IP address, therefore giving you a geographical location of the email sender…Email tracer tools take out the confusion of searching and tracing headers and are an easy and convenient way to track down an email. By copying and pasting the header information into the form the tool will return results showing you the IP address of the original email sender…You can determine the sender’s IP address manually but it takes more time. Though you won’t be able to determine an exact name of the original sender, the received information is valuable and will offer you many clues as to the original sender.

In and of itself, IP tracing is not bad. But in the wrong hands, it can be damaging. There are already technology companies that are proudly selling advanced tracking and recording technology to intelligence and military organizations around the world, chiefly the NSA, FBI, CIA, and others. There’s a company in France that sells web browser vulnerability information to the highest bidder, thus it has no incentive to privately inform the browser maker (Internet Explorer, Chrome, Safari, etc) of weaknesses it is exploiting. So not only can you communications be tapped into, your keystrokes at your computer can be recorded to go along with the IP tracing profile that snoopers can summarize about you.

The game of internet and telecommunications security is a cat and mouse game that both the honest and dishonest are working at every day. And we have seen that sometimes, our government can fail us (they’re human) and so we need to ask our representatives to strengthen laws regarding surveillance and recording as the risk of a major terrorist attack do not rise to the level of damaging digital security and privacy rights violations. As we see with the Navy Shooter massacre in September 2013, acts of terror are not always preventable even with all of the NSA/CIA/FBI surveillance going on now. So why compromise our security online and push us several steps closer to widespread paranoia?

LEHI, UT–(Marketwired – September 24, 2013) – DigiCert, Inc., a leading global authentication and encryption provider, announced today that it is the first Certificate Authority (CA) to implement Certificate Transparency (CT). DigiCert has been working with Google to pilot CT for more than a year and will begin adding SSL Certificates to a public CT log by the end of October.

DigiCert welcomes CT as an important step toward enhancing online trust. For several months, DigiCert has been working with Google engineers to test Google’s code, provide feedback on proposed CT implementations, and build CT support into the company’s systems. This initiative aligns with DigiCert’s focus to improve online trust — including tight internal security controls, development and adoption of the CA/Browser Forum Baseline Requirements and Network Security Guidelines, and participation in various industry bodies that are focused on security and trust standards.

Google’s Certificate Transparency project fixes several structural flaws in the SSL certificate system, which is the main cryptographic system that underlies all HTTPS connections. These flaws weaken the reliability and effectiveness of encrypted Internet connections and can compromise critical TLS/SSL mechanisms, including domain validation, end-to-end encryption, and the chains of trust set up by certificate authorities. If left unchecked, these flaws can facilitate a wide range of security attacks, such as website spoofing, server impersonation, and man-in-the-middle attacks.

Certificate Transparency helps eliminate these flaws by providing an open framework for monitoring and auditing SSL certificates in nearly real time. Specifically, Certificate Transparency makes it possible to detect SSL certificates that have been mistakenly issued by a certificate authority or maliciously acquired from an otherwise unimpeachable certificate authority. It also makes it possible to identify certificate authorities that have gone rogue and are maliciously issuing certificates.

Because it is an open and public framework, anyone can build or access the basic components that drive Certificate Transparency. This is particularly beneficial to Internet security stakeholders, such as domain owners, certificate authorities, and browser manufacturers, who have a vested interest in maintaining the health and integrity of the SSL certificate system.

According to a helpful Technet article on Microsoft’s website, an ideal number of logni attempts before locking a user out of his or her account is 50.

Why?

Mainly to give the user a reasonable number of atempts to log in without having to resort to calling the Help Desk for such a routine, repeatable problem. But for those who don’t have the guts to set the account lockout threshold that high, you can start with as little as 4 max attempts and as much as 10 and see how you like the results. More from Microsoft:

The Account lockout threshold policy setting determines the number of failed logon attempts that will cause a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the number of minutes specified by Account lockout duration expires. You can set a value from 1 through 999 failed logon attempts, or you can specify that the account will never be locked out by setting the value to 0. If Account lockout threshold is set to a number greater than zero, Account lockout duration must be greater than or equal to the value of Reset account lockout counter after.

…

Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed logons that can be performed nearly eliminates the effectiveness of such attacks.

However, it is important to note that a denial-of-service attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of Account lockout threshold, the attacker could potentially lock out every account.

…

Because it will not prevent a brute force attack, a value of 0 should only be chosen if both of the following criteria are explicitly met:

A robust auditing mechanism is in place to alert administrators when a series of failed logons are occurring in the environment.

If these criteria cannot be met, set Account lockout threshold to a high enough value that users can accidentally mistype their password several times before they are locked out of their account, but ensure that a brute-force password attack would still lock out the account. It is advisable to specify a value of 50 invalid logon attempts. Keep in mind, however, that although this setting can reduce the number of Help Desk calls by reducing the number of user lockouts, it cannot prevent a denial-of-service attack.
…

The threshold that you select is a balance between operational efficiency and security, and it depends on your organization’s risk level. To allow for user error and thwart brute force attacks, a setting above 4 and below 10 could be an acceptable starting point for your organization.

An encryption algorithm with a suspected NSA-designed backdoor has been declared insecure by the developer after years of extensive use by customers worldwide, including the US federal agencies and government entities.

Major US computer security company RSA Security, a division of EMC, has privately warned thousands of its customers on Thursday to immediately discontinue using all versions of company’s BSAFE toolkit and Data Protection Manager (DPM), both using Dual_EC_DRNG (Dual Elliptic Curve Deterministic Random Bit Generator) encryption algorithm to protect sensitive data.

“To ensure a high level of assurance in their application, RSA strongly recommends that customers discontinue use of Dual_EC_DRNG [cryptographic keys generator] and move to a different PRNG [Pseudo-random Number Generator],” warned RSA’s letter, as quoted by The Wall Street Journal.

In the letter the RSA provided BSAFE Toolkits and DPM customers with a link to technical guidance to change the PRNG settings in their products and promised to update the algorithm library.

The letter does not mention RSA’s flagship SecurID tokens, used by millions of employees around the world to get secure access to their corporate networks.

In 2006, the US National Institute of Standards and Technology (NIST) followed by the International Organization for Standardization officially endorsed Dual_EC_DRNG, so encryption software base on it was used for years by both private sector and US government agencies.

Last week the New York Times published new revelations by former National Security Agency contractor Edward Snowden, exposing that crucial encryption algorithm of certain US-developed security software is based on weak mathematical formula intentionally crippled to facilitate NSA access to encrypted dataflow.

These computer breach news items are listed here to remind IT professionals, particular developers, designers, networking and database administrators how important it is to encrypt hard drives and sensitive data such as social security numbers, medical patient IDs, credit card numbers and so on. The following results came from a PrivacyRights.org website search.

Date Made Public

Name

Entity

Type

Total Records

September 15, 2013

International SOS
Philadelphia, Pennsylvania

GOV

HACK

Unknown

An unauthorized user or users accessed at least one U.S. system that hosts traveler information. The type of information that may have been accessed was not reported and International SOS is still investigating the incident.

Information Source:
Media

records from this breach used in our total: 0

September 13, 2013

MNsure
St. Paul, Minnesota

MED

DISC

2,400

An agency employee accidentally sent the information of 2,400 insurance agents to two other MNsure employees via email. MNsure instructed the employees to delete the information. Names, Social Security numbers, and addresses were part of the breach.

Information Source:
Media

records from this breach used in our total: 2,400

September 13, 2013

Argotec
Greenfield, Massachusetts

BSR

UNKN

Unknown

An unspecified incident occurred on or around July 26 that may have exposed the confidential information of current and former employees. Names, Social Security numbers, and bank account information may have been exposed. Current employees were sent notification on August 6.

Information Source:
Media

records from this breach used in our total: 0

September 11, 2013

Edgewood Partners Insurance Center (EPIC)
San Mateo, California

BSF

PORT

Unknown

Five laptops were stolen during a July 16 office burglary. The laptops contained confidential information and were password-protected but unencrypted. Current and former employees and their beneficiaries and dependents, contractors, and job applicants were affected. Names, Social Security numbers, addresses, dates of birth, drivers’ license numbers, benefits information, bank account information, and health information were exposed.

Information Source:
Media

records from this breach used in our total: 0

September 11, 2013

Kaiser Permanente
Oakland, California

MED

DISC

Unknown

Participants in a Wellness Screening competition pilot may have had their information exposed. A Kaiser Permanente employee accidentally included confidential information in an email sent to a member of the pilot planning team. In addition to a summary of the competition, it included names, Kaiser Permanente medical record numbers, phone numbers, email addresses, names of employers, department names, and dates and times of health screenings. The pilot planning team member was not authorized to receive the confidential information.

Information Source:
California Attorney General

records from this breach used in our total: 0

September 11, 2013

FSV Payment Systems, Paymast’r Services
Boulder, Colorado

BSF

HACK

Unknown

Between July 22 and July 28, an unauthoried party accessed a website that contained sensitive information. Names, Social Security numbers, addresses, drivers’ license numbers, and Payroll Card numbers may have been accessed. The website was shutdown once the breach was discovered.

Information Source:
California Attorney General

records from this breach used in our total: 0

September 10, 2013

Pierce County Housing Authority
Tacoma, Washington

BSO

DISC

979

A human error resulted in the exposure of client information. A client found a file with Social Security numbers on the website. The site was shut down while the file was removed. It is unclear how long the information was available and the error was caused by a former employee.

Information Source:
Media

records from this breach used in our total: 979

September 10, 2013

Outdoor Network, LLC, Boats.net, Partzilla.com
Lake Placid, Florida

BSR

HACK

Unknown

Those with questions may call (888) 829-6550.

A website breach exposed an unspecified number of customer names, addresses, credit card numbers, credit card expiration dates, and CVV codes. Hackers put malware on Outdoor Network’s Boats.net and Partzilla.com websites and were able to access information from credit card transactions between December 2012 and July 2013.

Information Source:
Media

records from this breach used in our total: 0

September 10, 2013

University of South Florida (USF) Health
Tampa, Florida

EDU

INSD

140

Police searched the car of a University custodial employee and found USF Physicians Group patient billing information. Names, Social Security numbers, and dates of birth had been exposed. The employee no longer works for the University and patients were sent a notification letter in late July.

Information Source:
Media

records from this breach used in our total: 140

September 7, 2013

Rockland Federal Credit Union
Rockland, Massachusetts

BSF

HACK

Unknown

Those with questions may call 781-878-0232.

Rockland Federal Credit Union is sending customers new debit cards with new PINs as a result of a merchant who discovered a breach in their computer system. All old debit cards will be deactivated on September 26.

Information Source:
Media

records from this breach used in our total: 0

September 6, 2013

Georgia Department of Labor
Marrieta, Georgia

GOV

DISC

4,457

An employee accidentally emailed a document with the names and Social Security numbers of 4,457 Cobb-Cherokee Career Center customers to 1,000 people. Recipients were notified and instructed to delete the email immediately without reading it.

UPDATE (09/06/2013): The employee who accidentally sent the email attachment was suspended. The Georgia Department of Labor is also reviewing its internal policies for handling sensitive information.

Information Source:
Media

records from this breach used in our total: 4,457

September 6, 2013

Office of Dr. Hankyu Chung
San Jose, California

MED

PORT

Unknown

A June 17 office burglary resulted in the theft of two laptops. One of the laptops contained names, telephone numbers, dates of birth, visit dates, health complaints, physical examination notes, diagnoses, testing information, medication information, and other medical record information. The thief or thieves were able to get into the office by opening an unlocked door. No identity theft protection services are being offered to affected patients.

Information Source:
California Attorney General

records from this breach used in our total: 0

September 6, 2013

Conexis, State of Virginia
Blacksburg, Virginia

EDU

DISC

13,000

Employees of the state of Virginia who are enrolled in the Commonwealth’s 2014 Flexible Spending Account had their information exposed. Conexis erroneously sent summary reports of Blue Cross/Blue Shield Flexible Spending Account Services to 11 state human resources and payroll employees. The reports included participants from across the state rather than from specific locations related to the human resources and payroll employees’ work. The human resources and payroll employees who received information that was not intended for them signed a certification confirming that they had deleted or destroyed the information.

Information Source:
Media

records from this breach used in our total: 13,000

September 6, 2013

James A. Haley Veterans Hospital
Tampa, Florida

MED

INSD

106

A volunteer allegedly stole the names and Social Security numbers of 106 patients and used the information to file $550,000 worth of fraudulent tax returns. The volunteer had a co-conspirator and the breach began in late January of 2012.

Information Source:
Media

records from this breach used in our total: 106

September 6, 2013

Illinois Department of Healthcare and Family Services
Springfield, Illinois

MED

DISC

Unknown

A contractor sent Family Health Network ID cards to the wrong addresses in July of 2013. A total of 3,100 clients had their names, Medicaid numbers, and dates of birth exposed.

Information Source:
Media

records from this breach used in our total: 0

September 5, 2013

Medical University of South Carolina (MUSC), Blackhawk Consulting Group
Charleston, South Carolina

MED

HACK

10,000 (7,000 from MUSC)

A hacker from outside of the United States accessed customer information from Blackhawk Consulting Group, a credit card processing vendor. The information included financial information from customers who paid the Medical Univeristy of Southern Carolina with a credit card online or over the phone between June 30 and August 21. No patient information was accessed. Some of Blackhawk Consulting Group’s other customers were affected and a total of 10,000 people may have had their information exposed.

Boston Public School students across 36 schools may have had their information compromised by the loss of a flash drive. The flash drive was misplaced sometime around August 9 by BPS’s ID card vendor Plastic Card Systems.

Information Source:
Media

records from this breach used in our total: 0

September 5, 2013

North Texas Comprehensive Spine and Pain Center
Sherman, Texas

GOV

INSD

3,000 (No SSNs or financial information reported)

A former employee stole an external hard drive that contained the medical information of patients. There has been no evidence that the information on the hard drive was improperly used.

UPDATE (09/15/2013): Close to 3,000 patients were notified of the potential breach.

Information Source:
Media

records from this breach used in our total: 0

September 3, 2013

InterContinental Mark Hopkins San Francisco
San Francisco, California

BSO

PORT

Unknown

A July 4 burglary resulted in the exposure of guest information. The names, addresses, email addresses, phone numbers, and credit and debit card numbers of guests were on a computer hard drive that was stolen. The hotel learned of the possibility of a breach of guest data on July 14 and alerted guests around August 8.

Information Source:
Media

records from this breach used in our total: 0

September 3, 2013

St. Anthony
St. Louis, Missouri

MED

PORT

2,600 (No SSNs or financial information reported)

Patients with questions may call 800-524-7262 extension 1575.

The July 29 car burglary of a laptop computer and flash drive resulted in the exposure of patient information. Patient names, dates of birth, and other information contained in medical records were exposed.

Information Source:
Media

records from this breach used in our total: 0

September 2, 2013

Creative Banner Assemblies
Minneapolis, Minnesota

BSO

HACK

232

A website breach that occurred on June 1 and was discovered on July 22 resulted in the exposure of customer informaiton. Names, addresses, phone numbers, unencrypted credit card information, and other information stored on temporary data files may have been accessed due to malicious code on the website.